armada-go/pkg/auth/auth.go

package auth

import (
	"bytes"
	"encoding/json"
	"errors"
	"fmt"
	"github.com/spf13/viper"
	"net/http"
	"strings"
	"time"

	"github.com/gin-gonic/gin"

	"opendev.org/airship/armada-go/pkg/log"
)

var Log = func(format string, a ...interface{}) {
	log.Printf(format, a...)
}

// Cache provides the interface for cache implementations.
type Cache interface {
	//Set stores a value with the given ttl
	Set(key string, value interface{}, ttl time.Duration)
	//Get retrieves a value previously stored in the cache.
	//value has to be a pointer to a data structure that matches the type previously given to Set
	//The return value indicates if a value was found
	Get(key string, value interface{}) bool
}

// Auth is the entrypoint for creating the middleware
type Auth struct {
	//Keystone v3 endpoint url for validating tokens ( e.g https://some.where:5000/v3)
	Endpoint string
	//User-Agent used for all http request by the middleware. Defaults to go-keystone-middleware/1.0
	UserAgent string
	//A cache implementation the middleware should use for caching tokens. By default, no caching is performed.
	TokenCache Cache
	//How long to cache tokens. Defaults to 5 minutes.
	CacheTime time.Duration

	//http client to use for requests, default to  &http.Client{ Timeout: 5 * time.Second }
	Client *http.Client
}

// New returns a new Auth object initialized with default values
func New(endpoint string) *Auth {
	auth := &Auth{Endpoint: endpoint}
	auth.ensureDefaults()
	return auth
}

// Handler returns a http handler for use in a middleware chain.
func (a *Auth) Handler(h http.Handler) gin.HandlerFunc {
	a.ensureDefaults()
	return gin.WrapH(&handler{Auth: a, handler: h})
}

// Validate a token.
// This is useful if you don't want to use the http middleware
func (a *Auth) Validate(authToken string) (*Token, error) {
	if a.TokenCache != nil {
		var cachedToken Token
		if ok := a.TokenCache.Get(authToken, &cachedToken); ok && cachedToken.Valid() {
			Log("Found valid token in cache")
			return &cachedToken, nil
		}
	}

	req, err := http.NewRequest("GET", a.Endpoint+"/auth/tokens?nocatalog", nil)
	if err != nil {
		return nil, err
	}
	req.Header.Set("X-Auth-Token", authToken)
	req.Header.Set("X-Subject-Token", authToken)
	req.Header.Set("User-Agent", a.UserAgent)

	r, err := a.Client.Do(req)
	if err != nil {
		return nil, err
	}
	defer r.Body.Close()

	if r.StatusCode >= 400 {
		return nil, errors.New(r.Status)
	}

	var resp authResponse
	if err = json.NewDecoder(r.Body).Decode(&resp); err != nil {
		return nil, err
	}

	if e := resp.Error; e != nil {
		return nil, fmt.Errorf("%s : %s", r.Status, e.Message)
	}
	if r.StatusCode != http.StatusOK {
		return nil, fmt.Errorf("%s", r.Status)
	}
	if resp.Token == nil {
		return nil, errors.New("response didn't contain token context")
	}
	if !resp.Token.Valid() {
		return nil, errors.New("returned token is not valid")
	}

	if a.TokenCache != nil {
		ttl := a.CacheTime
		//The expiry date of the token provides an upper bound on the cache time
		if expiresIn := resp.Token.ExpiresAt.Sub(time.Now()); expiresIn < a.CacheTime {
			ttl = expiresIn
		}
		a.TokenCache.Set(authToken, *resp.Token, ttl)
	}

	return resp.Token, nil
}

func (a *Auth) ensureDefaults() {

	if a.UserAgent == "" {
		a.UserAgent = "go-keystone-middleware/1.0"
	}

	if a.CacheTime == 0 {
		a.CacheTime = 5 * time.Minute
	}

	if a.Client == nil {
		a.Client = &http.Client{
			Timeout: 5 * time.Second,
		}
	}

}

type handler struct {
	*Auth
	handler http.Handler
}

func (h *handler) ServeHTTP(_ http.ResponseWriter, req *http.Request) {
	filterIncomingHeaders(req)
	req.Header.Set("X-Identity-Status", "Invalid")
	authToken := req.Header.Get("X-Auth-Token")
	if authToken == "" {
		return
	}

	context, err := h.Auth.Validate(authToken)
	if err != nil {
		Log("Failed to validate token: %v", err)
		return
	}

	req.Header.Set("X-Identity-Status", "Confirmed")
	for k, v := range context.headers() {
		req.Header.Set(k, v)
	}
	Log("Auth OK Request validated")
}

// Domain holds information about the scope of a token
type Domain struct {
	ID      string
	Name    string
	Enabled bool
}

// Project contains information about the scope of a token
type Project struct {
	ID      string
	Name    string
	Enabled bool
	Domain  Domain
}

// Token describes the scope of a validated token
type Token struct {
	ExpiresAt time.Time `json:"expires_at"`
	IssuedAt  time.Time `json:"issued_at"`
	User      struct {
		ID      string
		Name    string
		Email   string
		Enabled bool
		Domain  struct {
			ID   string
			Name string
		}
	}
	Project *Project
	Domain  *Domain
	Roles   []struct {
		ID   string
		Name string
	}
}

// Valid returns if the token is valid based on the expiration and issue date
func (t Token) Valid() bool {
	now := time.Now().Unix()
	return t.IssuedAt.Unix() <= now && now < t.ExpiresAt.Unix()
}

type authResponse struct {
	Error *struct {
		Code    int
		Message string
		Title   string
	}
	Token *Token
}

func (t Token) headers() map[string]string {
	headers := make(map[string]string)
	headers["X-User-Id"] = t.User.ID
	headers["X-User-Name"] = t.User.Name
	headers["X-User-Domain-Id"] = t.User.Domain.ID
	headers["X-User-Domain-Name"] = t.User.Domain.Name

	if project := t.Project; project != nil {
		headers["X-Project-Name"] = project.Name
		headers["X-Project-Id"] = project.ID
		headers["X-Project-Domain-Name"] = project.Domain.Name
		headers["X-Project-Domain-Id"] = project.Domain.ID

	}

	if domain := t.Domain; domain != nil {
		headers["X-Domain-Id"] = domain.ID
		headers["X-Domain-Name"] = domain.Name
	}

	if roles := t.Roles; roles != nil {
		roleNames := []string{}
		for _, role := range t.Roles {
			roleNames = append(roleNames, role.Name)
		}
		headers["X-Roles"] = strings.Join(roleNames, ",")

	}

	return headers
}

func filterIncomingHeaders(req *http.Request) {
	req.Header.Del("X-Identity-Status")
	req.Header.Del("X-Service-Identity-Status")

	req.Header.Del("X-Domain-Id")
	req.Header.Del("X-Service-Domain-Id")

	req.Header.Del("X-Domain-Name")
	req.Header.Del("X-Service-Domain-Name")

	req.Header.Del("X-Project-Id")
	req.Header.Del("X-Service-Project-Id")

	req.Header.Del("X-Project-Name")
	req.Header.Del("X-Service-Project-Name")

	req.Header.Del("X-Project-Domain-Id")
	req.Header.Del("X-Service-Project-Domain-Id")

	req.Header.Del("X-Project-Domain-Name")
	req.Header.Del("X-Service-Project-Domain-Name")

	req.Header.Del("X-User-Id")
	req.Header.Del("X-Service-User-Id")

	req.Header.Del("X-User-Name")
	req.Header.Del("X-Service-User-Name")

	req.Header.Del("X-User-Domain-Id")
	req.Header.Del("X-Service-User-Domain-Id")

	req.Header.Del("X-User-Domain-Name")
	req.Header.Del("X-Service-User-Domain-Name")

	req.Header.Del("X-Roles")
	req.Header.Del("X-Service-Roles")

	req.Header.Del("X-Service-Catalog")

	//deprecated Headers
	req.Header.Del("X-Tenant-Id")
	req.Header.Del("X-Tenant")
	req.Header.Del("X-User")
	req.Header.Del("X-Role")
}

func Authenticate() (string, error) {
	authUrl := viper.Sub("keystone_authtoken").GetString("auth_url")
	username := viper.Sub("keystone_authtoken").GetString("username")
	password := viper.Sub("keystone_authtoken").GetString("password")
	projectDomainName := viper.Sub("keystone_authtoken").GetString("project_domain_name")
	projectName := viper.Sub("keystone_authtoken").GetString("project_name")
	userDomainName := viper.Sub("keystone_authtoken").GetString("user_domain_name")

	jsonData := []byte(fmt.Sprintf(`{
		"auth": {
			"identity": {
			  "methods": ["password"],
			  "password": {
				"user": {
				  "name": "%s",
				  "domain": { "id": "%s" },
				  "password": "%s"
				}
			  }
			},
			"scope": {
			  "project": {
				"name": "%s",
				"domain": { "id": "%s" }
			  }
			}
		  }
	}`, username, userDomainName, password, projectName, projectDomainName))

	req, err := http.NewRequest("POST", authUrl+"/auth/tokens", bytes.NewBuffer(jsonData))
	if err != nil {
		return "", err
	}
	req.Header.Set("Content-Type", "application/json")

	client := &http.Client{}
	resp, err := client.Do(req)
	if err != nil {
		return "", err
	}
	defer resp.Body.Close()
	if resp.StatusCode != 201 {
		return "", errors.New("http: not authorized")
	}

	token := resp.Header.Get("X-Subject-Token")
	if token == "" {
		return "", errors.New("http: keystone token is empty")
	}

	return token, nil
}